forked from zentralwerk/network
105 lines
2.7 KiB
Nix
105 lines
2.7 KiB
Nix
# Server network configuration
|
|
{ hostName, self, config, lib, pkgs, ... }:
|
|
|
|
let
|
|
# LXC containers on this host
|
|
containers =
|
|
lib.filterAttrs (_: { role, model, location, ... }:
|
|
role == "container" &&
|
|
model == "lxc" &&
|
|
location == hostName
|
|
) config.site.hosts;
|
|
|
|
# Every bridged veth network required by all containers
|
|
bridgeNets =
|
|
lib.lists.unique (
|
|
builtins.concatMap ({ interfaces, ... }:
|
|
builtins.attrNames (
|
|
lib.filterAttrs (_: { type, ... }: type == "veth") interfaces
|
|
)) (builtins.attrValues containers)
|
|
);
|
|
|
|
# Every network (both veth+phys) required by all containers
|
|
ctNets =
|
|
lib.lists.unique (
|
|
builtins.concatMap ({ physicalInterfaces, ... }:
|
|
builtins.attrNames physicalInterfaces
|
|
) (builtins.attrValues containers)
|
|
);
|
|
|
|
in
|
|
{
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
# SSH
|
|
22
|
|
];
|
|
};
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
|
|
netdevs = {
|
|
bond0.netdevConfig = {
|
|
Kind = "bond";
|
|
Name = "bond0";
|
|
};
|
|
# LACP
|
|
bond0.bondConfig.Mode = "802.3ad";
|
|
} // (
|
|
builtins.foldl' (result: net: result // {
|
|
# Bridges are named just like the corresponding net.
|
|
"${net}".netdevConfig = {
|
|
Kind = "bridge";
|
|
Name = "${net}";
|
|
};
|
|
}) {} bridgeNets
|
|
) // (
|
|
builtins.foldl' (result: net: result // {
|
|
# External VLAN interfaces (to be attached to net bridges) are
|
|
# named with an "ext-" prefix.
|
|
"ext-${net}" = {
|
|
netdevConfig = {
|
|
Kind = "vlan";
|
|
Name = "ext-${net}";
|
|
};
|
|
vlanConfig.Id = config.site.net.${net}.vlan;
|
|
};
|
|
}) {} ctNets
|
|
);
|
|
|
|
networks = {
|
|
en = {
|
|
# physical ethernet ports
|
|
matchConfig.Name = "en*";
|
|
networkConfig.Bond = "bond0";
|
|
};
|
|
bond0 = {
|
|
DHCP = "no";
|
|
matchConfig.Name = "bond0";
|
|
networkConfig = {
|
|
VLAN = map (net: "ext-${net}") ctNets;
|
|
LinkLocalAddressing = "no";
|
|
};
|
|
};
|
|
} // (builtins.foldl' (result: net: result // {
|
|
"${net}" = {
|
|
matchConfig.Name = net;
|
|
networkConfig = {
|
|
# Disable all automatic addressing on bridges. It will delay
|
|
# networkd going into operational state.
|
|
DHCP = lib.mkDefault "no";
|
|
LinkLocalAddressing = lib.mkDefault "no";
|
|
};
|
|
};
|
|
}) {} bridgeNets) // builtins.foldl' (result: net: result // {
|
|
"ext-${net}" = {
|
|
matchConfig.Name = "ext-${net}";
|
|
# Attach eth*/bond0/VLAN to bridge
|
|
networkConfig.Bridge = net;
|
|
};
|
|
}) {} ctNets;
|
|
};
|
|
}
|